MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a6544621e2269b086855e399b0cb58f830ffaa613e0afc563e8f7e72d3087011. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a6544621e2269b086855e399b0cb58f830ffaa613e0afc563e8f7e72d3087011
SHA3-384 hash: ae6cdcbd06d260f969ea7fc97a87368367440a29b49263627ccde0803da4140eff33ec7cb1cf96c618f4ef25072ea1e6
SHA1 hash: 7a3c18360db05e9858d4cf006b572f2c77ed42eb
MD5 hash: 6df0df8c8c349ab748d31d06008a6ce0
humanhash: seven-nineteen-nevada-april
File name:a6544621e2269b086855e399b0cb58f830ffaa613e0afc563e8f7e72d3087011
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:960'357 bytes
First seen:2023-01-06 13:30:47 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 431 x GuLoader)
ssdeep 12288:2YVO4e20BZhlAMuY5N8VVxxXIvEA8+huwhUSdBIQudJnCoe/b:2YsQ0BZhlAMPSDIRThuwhxDAPC5b
Threatray 41 similar samples on MalwareBazaar
TLSH T12E1502FC36949772CD2049F0FB3FCBE55E717D5B20F856A22249BB6925B6001F807A68
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon e0d0d8d4d4d8d0e0 (7 x DarkCloud, 5 x AgentTesla, 4 x Formbook)
Reporter adrian__luca
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
179
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
a6544621e2269b086855e399b0cb58f830ffaa613e0afc563e8f7e72d3087011
Verdict:
Malicious activity
Analysis date:
2023-01-06 13:31:01 UTC
Tags:
autoit
Link:
https://app.any.run/tasks/a9dc9f2d-ddef-4a8a-b7ed-58924e87bfb0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/350072/
Detection(s):
Win.Trojan.Generickdz-9902201-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a process from a recently created file
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Searching for the window
Unauthorized injection to a recently created process by context flags manipulation
Verdict:
No Threat
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/63b8229640e878e304232e5f/reports/06d19d03-46f0-4fad-933c-369cc961782e/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4b0c618f-7032-4d8f-a803-38d28009a117
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/1146334
Signature
Found API chain indicative of debugger detection
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 779066 Sample: Qi1CIP8mJH.exe Startdate: 06/01/2023 Architecture: WINDOWS Score: 84 22 Malicious sample detected (through community Yara rule) 2->22 24 Multi AV Scanner detection for submitted file 2->24 26 Yara detected Telegram RAT 2->26 28 Yara detected Snake Keylogger 2->28 8 Qi1CIP8mJH.exe 20 2->8         started        process3 file4 20 C:\Users\user\AppData\...\ryivvswzsq.exe, PE32 8->20 dropped 11 ryivvswzsq.exe 8->11         started        process5 signatures6 30 Machine Learning detection for dropped file 11->30 32 Found API chain indicative of debugger detection 11->32 34 Maps a DLL or memory area into another process 11->34 14 ryivvswzsq.exe 1 11->14         started        process7 process8 16 WerFault.exe 23 9 14->16         started        18 conhost.exe 14->18         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a6544621e2269b086855e399b0cb58f830ffaa613e0afc563e8f7e72d3087011/
Threat name:
Win32.Spyware.SnakeLogger
Create hunting rule
Status:
Malicious
First seen:
2022-12-26 10:48:36 UTC
File Type:
PE (Exe)
Extracted files:
32
AV detection:
20 of 26 (76.92%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=uzkemipce2nqq2cv4om3bs2y7ayp7ktbhyfpyvr6r57hfuyioaiq._file
Verdict:
malicious
Similar samples:
1379c26b10a6075c5d53de485d01d2c44be72e9a3d3dc08c28cfb0383af77729
SnakeKeylogger
13bb6c74c0a1a9f7563616be31fb58ce7cf9beaee0430254f7210a56146cf2f3
SnakeKeylogger
8c4cc2077f0eab36be58bb86b34035f1b9c133902630526f609ff0c194f4f236
SnakeKeylogger
a2e80fe784075653b12fd04576bd2927f9c55c22cea194b8263605daa3e7b120
SnakeKeylogger
a482218c80bb91030f21119952bad2383fc9a5b69dfcd954b5b80585858fbd56
SnakeKeylogger
b1d5ae49da3d9ff696452c791d1a45e3a6ef7715762b338707c4e8deeccde26e
SnakeKeylogger
c0e8dcf4096de51fec0709a1e6778923be7f5320389e38cf6b93965ef4daa904
SnakeKeylogger
d69b13f1276594f9f10cf722a15179b0d71911a92d15a726e1bdd234a880cf92
SnakeKeylogger
+ 31 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/230106-qsdcnacd2z/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/b2a68a21-66b6-4323-9136-84d4bf2dd514
Unpacked files
SH256 hash:
bb6862abce8f297672bf358af836760a6c1fe381571ce8059759b5a84809d195
MD5 hash:
4947a717c54f45927de5fda2bd0fae96
SHA1 hash:
9ad5ddd623e44ec61f322c249e8d0f0ae5e33329
Link:
https://www.unpac.me/results/083eb310-d380-4813-b8a1-e031b7d9af06/
SH256 hash:
e439f02b72a882498d512689f380e1323c4d8342578fe8608e81061cf4a8aee1
MD5 hash:
3d90ab79b9719aded136b7cd437ebb21
SHA1 hash:
dbec6e868a293cb0bd58d35191b1423ab8942384
Link:
https://www.unpac.me/results/083eb310-d380-4813-b8a1-e031b7d9af06/
Parent samples :
90e38d684c63fee4e5d7bdd16c4409022bf9edfc7cf266b9e49936962ce37b03
24fca3cd8aad055b2284fdf5c0cd73642b88bb19de7c3137361e46529da5b67f
8a2edeef9978d454882bfb233d9cd77505618b854f7899b27aeb095ff8ebb3f4
cc7cb2ebb12103aea621ec7962819aced4680b4322bc213a9257b36c8f2dab3e
cfa0a176bad0046bd498a5a7f5140ca92734b096c541a54acd1b002f228ec47c
22f34cc0b56ea1709b3af15b41b43fc40fca2b77debb8400108d3f517ee2ed4a
607e8a91c76f444784c2cbc1090cf8724d882d9861641a1f6e0de6b2b9401859
2de4a8c16d3643a3c58c63f4e7df2836919316635c05718dac1e474b6eb7fe29
ec61895ef8af01ff00970e46f7ba98c24bf9079d71e09d3c18576f1a9efc93c2
c1955052a26634f3571423dc64d3fd10c55fdb27f29eb3afd292787693ffcf91
4d4f7a1cb34d5309e1c82e7110209c974a08b3e82eaaf7799d7d9a3a176132ca
48860a4eb801109046a591d18809b1ff3e2b658f2a09c6fb36c4948cb88eb939
08ec22dd1d931a9d4194d5e46bc42914e62227c11e9fedce2175fe6a53eb4f92
6bef7c9809b35c7a2111872544e68aa29b8323f5936b6b1122c5f4138cf6e1e8
7e18e5fe9e980c48ad67cc2ce7423e818e15c1256e2ffe4ce85c5cfbd5b30877
5dbc3e721cd340dd80bfa7d0127d920f5f2630aa4b3b3ecfb8d2af9f28f0e208
4fe8bbc88d7a8cc0eec24bd74951f1f00b5127e3899ae53de8dabd6ff417e6db
6b6676267c70fbeb3257f0bb9bce1587f0bdec621238eb32dd9f84b2bcd7e3ea
1ffa8b06cb779360f8c42ccd4527ae3076d25d11b3a90976f04ea430173e9b85
e92f111b8aa01289f72c66585219861e0117c9939de56741cbb234fee55536fe
b69687c4b9aa0c1599840ea90562d3833367e8095addfc725fc2b52fad6ee565
SH256 hash:
a6544621e2269b086855e399b0cb58f830ffaa613e0afc563e8f7e72d3087011
MD5 hash:
6df0df8c8c349ab748d31d06008a6ce0
SHA1 hash:
7a3c18360db05e9858d4cf006b572f2c77ed42eb
Link:
https://www.unpac.me/results/083eb310-d380-4813-b8a1-e031b7d9af06/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a6544621e226/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a6544621e2269b086855e399b0cb58f830ffaa613e0afc563e8f7e72d3087011

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/350072/

Comments